SSL/TLS Overview

SSL offers security for HTTP protocol Authentication of server to client Optional authentication of client to server
- Incompatibly implemented in different browsers - CA infrastructure not in widespread use

Condentiality of communications Integrity protection of communications

Purpose in more detail

Authentication based on certication authorities (CAs)
- Trusted third party with well-known public key - Certies who belongs to a public key (domain name and real name of company) - Example: Verisign

What SSL Does Not Address

- Privacy - Trafc analysis - Trust management

Ciphersuites: Negotiating ciphers

Server authentication algorithm (RSA, DSS) Key exchange algorithm (RSA, DHE) Symmetric cipher for condentiality (RC4, DES) MAC (HMAC-MD5, HMAC-SHA)

Overview of SSL Handshake

Client
Supported cip hers, client ra ndom

Server

Cho

ver random sen cipher, ser Encrypted pr

, certificate

emaster secr

et
Compute keys

Compute keys

MAC of hand

shake messag

es

shake m MAC of hand

essages

From SSL and TLS by Eric Rescorla

Simplied SSL Handshake

Client and server negotiate on cipher selection. Cooperatively establish session keys. Use session keys for secure communication.

Client Authentication Handshake

Server requests that client send its certicate. Client signs a signed digest of the handshake messages.

SSL Client Certicate

Client
Supported cip hers, client ra m, certificate ndom certificate req uest

Server

server rando hosen cipher, Encrypted pr

emaster secr

et certifica te, cer

t verify
Compute keys

Compute keys

MAC of hand

shake messag

es

shake m MAC of hand

essages

From SSL and TLS by Eric Rescorla

Establishing a Session Key

Server and client both contribute randomness. Client sends server a pre-master secret encrypted with servers public key. Use randomness and pre-master secret to create session keys:
- Client MAC - Server MAC - Client Write - Server Write - Client IV - Server IV

Establishing a Session Key

Client random Premaster secret Server random

Master secret

Key block

Server MAC key

Client MAC key

Server write key

From SSL and TLS by Eric Rescorla

Client write key

Server IV

Client IV

Session Resumption
Problem: Public key crypto expensive New TCP connection, reuse master secret.
- Avoids unnecessary public key cryptography.

Combines cached master secret with new randomness to generate new session keys. Works even when the client IP changes (servers cache on session ID, clients cache on server hostname).

What does a CA-issued Certicate Mean?

No one knows exactly. That a public key belongs to someone authorized to represent a hostname? That a public key belongs to someone who is associated in some way with a hostname? That a public key belongs to someone who has lots of paper trails associated to a company related to a hostname? That the CA has no liability?

How to get a Verisign certicate

Pay Verisign ($300) Get DBA license from city call ($20)
- No on-line check for name conicts. . . can I do business as Microsoft?

Letterhead from company ($0) Notarized document (need drivers license) ($0) Conclusions:
- Easy to get a fraudulent certicate - Maybe not so easy to avoid prosecution afterwards

But thats only Verisigns policy

- Many CAs can issue certicates

So many CAs...

Client Authentication on the Web

Interrogative adversaries
Adaptively query a Web server a reasonable number of times Treat server as an oracle for an adaptive chosen message attack Dont need any eavesdropping or other network tampering Anyone can do it, but surprisingly powerful attack
- C.f., adaptive chosen-ciphertext attackssounded improbable

Cookies
A Web server can store key/value pairs on a client The browser resends cookies in subsequent requests to the server Cookies can implement login sessions

Netscape cookie example domain Path SSL? Expiration Value .wsj.com /cgi FALSE 941452067 bitdiddleMaRdw2J1h6Lfc

Variable name fastlogin

Cookies for login sessions

Web browser
1

POST /login.c

Web server
gi

page b e W " n i e m "Welco cator i t n e h t u a : e i SetCook GET /restrict d/index.html Cookie: aue thenticator icted p r t s e r f o t n e t Con age

Why? Enter a password once per session

SSL cant protect data sent without SSL

Problem: Secure content can leak through plaintext channels Cookie le has ag to require SSL
- Not set by BankOnline.com

Trick user into visiting HTTP port

- Just need a link from an unrelated web page - Cookie automatically sent in the clear - Network eavesdropper can record it - Might as well not have used SSL

Letting clients name the price: Instant Shop

Problem: Servers trust clients not to modify HTML variables. Price determined by hidden variable in Web page. Make a personal copy of the web page. Modify it.

Instant Shop example: What a browser displays

Instant Shop example: Whats inside

<html><body> <form action=commit sale.cgi> <input type=hidden name=item1 value=10>Batteries $10<br> <input type=hidden name=item2 value=99>Biology textbook $99<br> <input type=hidden name=item3 value=25>Britney Spears CD $25<br> <input type=submit>Conrm purchase </form> </body></html>

Instant Shop example: Malicious client

<html><body> <form action=commit sale.cgi> <input type=hidden name=item1 value=0>Batteries $10<br> <input type=hidden name=item2 value=0>Biology textbook $99<br> <input type=hidden name=item3 value=0>Britney Spears CD $25<br> <input type=submit>Conrm purchase </form> </body></html>

Security through obscurity: NeBride.com

Problem: No cryptographic authentication at all Cookie (authenticator) is the username Create a cookie with someones username
- Instant access to her name, address, phone number, e-mail address, wedding date and place, and password.

Predictable sequence numbers: fatbrain.com

Problem: Customer can determine the authenticator for any other user. Authenticators are sequence numbers in the URL.
https://www.fatbrain.com/HelpAccount.asp?t=0&p1=fubob@mit.edu&p2=540555758 https://www.fatbrain.com/HelpAccount.asp?t=0&p1=nobob@mit.edu&p2=540555759

Guess a victims sequence number by decrementing. Access to personal information Change address, receive password by email!

wsj.com
Authenticate subscribers with stateless servers Half million paid-subscriber accounts Purchase articles, track stock portfolios

Background: The crypt() hash function

Hash function salted with 12 extra bits
- Prevent attacker from building dictionary of hashes of common passwords - Permute the hash function based on 12-bit seed - Prepend seed to hashed password for use in verication

Produces one-way function of password

- Only hashes rst 8 characters - Encrypt 0s 25 times with password as key

Used by Unix login

- So put hashed password in world-readable /etc/passwd - To validate password, hash it and compare to stored hash

wsj.com analysis
Design: fastlogin = {user, MACk (user)} Reality: fastlogin = user + UNIX-crypt (user + server secret) Easily produce fastlogin cookies username crypt() Output bitdiddl bitdiddle fastlogin cookie MaRdw2J1h6Lfc bitdiddlMaRdw2J1h6Lfc MaRdw2J1h6Lfc bitdiddleMaRdw2J1h6Lfc

Usernames matching rst 8 characters have same authenticator No revocation or expiration. This is already bad, but it gets worse...

Obtaining the server secret?

Adaptive chosen message attack Perl script queried WSJ with invalid cookies Runs in max 128 8 queries rather than intended 1288 (1024 vs. 72057594037927936) 1 sec/query yields 17 minutes vs. 109 years The key is March20

How the attack works

Secret guess username crypt input bitdiddl A ... M MA ... Ma ... March20 bitdidd ... bitdidd bitdid ... bitdid ... b bitdiddl bitdiddA ... bitdiddM bitdidMA ... bitdidMa ... bMarch20 worked? Yes No ... Yes No ... Yes ... Yes

Lack of cryptography: highschoolalumni.com

Problem: No cryptographic authentication at all Cookie authenticator is the public username and public user ID

Leaking secrets: sprintpcs.com

Problem: Secure content can leak through plaintext channels. Site didnt set SSL ag on cookies (like BankOnline.com) User logs in with HTTPS, then clicks back to main HTTP page. Vulnerable to passive eavesdropper.

Google
Google indexed many cookie les inadvertently places on the Web. Search for:
- cookies.txt - avenuea.com FALSE FALSE (cookie set by advertising co.) - CERT7.DB or text:CERT7.DB (in many cookies.txt les)

A simple scheme that works auth = expire + data + MACk (expire + data) where MAC could be HMAC-SHA1, data could be a username or capability, and + denotes concatenation with a delimiter Secure against interrogative adversary

But of course, MAC what you mean!

Sign marshalled data, not data with multiple interpretations badauth = MAC (key, username + expiration)
- (Alice, 21-Apr-2001) MAC (key, Alice21-Apr-2001) - (Alice2, 1-Apr-2001) MAC (key, Alice21-Apr-2001)

Same authenticator! Use unambiguous representation or delimiters